Vulnerable-GitLab-CVE-2016-9086

Author: Khasan Abdurakhmanov Author's Avatar

Affiliation: Innopolis University Author's Avatar

TABLE OF CONTENTS

Introduction

GitLab is a popular open-source web application that provides a Git-repository manager and issue-tracking system. It is widely used by software development teams for version control, collaboration, and project management.

In November 2016, a critical vulnerability was discovered in GitLab that allowed unauthenticated remote attackers to gain administrative privileges. This vulnerability was assigned the identifier CVE-2016-9086 and was patched in GitLab versions 8.14.6, 8.13.12, and 8.12.15.

CVE-2016-9086: Unauthenticated Remote Code Execution

CVE-2016-9086 was a vulnerability in the GitLab API that allowed unauthenticated attackers to execute arbitrary code with administrative privileges. The vulnerability was caused by improper validation of user input in the API endpoint used for creating new projects.

By sending a specially crafted request to the API endpoint, an attacker could bypass authentication and authorization checks, allowing them to create a new project with a malicious configuration. This configuration could include a malicious hook script that would be executed with the privileges of the GitLab server, effectively giving the attacker full control over the system.


Tools and Setup

In order to gain a comprehensive understanding of the vulnerability you are dealing with and to exploit it effectively, it is imperative to have a collection of specific tools at your disposal. Here is a list of the essential tools you will need:

  1. Docker

    Docker is a platform that has gained wide acceptance for containerization. It greatly simplifies the process of managing and deploying applications in containers, making it a vital tool for any developer.

In addition to Docker, this guide will also use Docker Compose to define and manage the multi-container application. Docker Compose allows you to define the services, networks, and volumes required for the application in a single configuration file, making it easier to set up and manage the environment.


Setting Up Vulnerable-GitLab-CVE-2016-9086

There are only one way provided to set up Vulnerable-GitLab-CVE-2016-9086 using Docker Compose.

  1. Clone the Vulnerable-GitLab Repository
    First, clone the Vulnerable-GitLab repository from GitHub to your local machine:
git clone https://github.com/SNE-M23-SN/Vulnerable-GitLab.git cd Vulnerable-GitLab/CVE-2016-9086/

  1. Build and Run the GitLab Container
    Use Docker Compose to build and run the GitLab container:
docker compose up -d

  1. The Infrastructure Overview

The overall infrastructure consists of three Docker containers: Redis, PostgreSQL, and GitLab. These containers are orchestrated using the Docker Compose tool, which allows for easy deployment and management of the entire setup.

  1. Access GitLab
    Open http://localhost:8080 in your web browser to access the GitLab interface. The credentials of default administrator account are root and vulhub123456


Exploiting Vulnerabilities

CVE-2016-9086 is a critical vulnerability in GitLab, a popular web-based DevOps lifecycle tool. This vulnerability exists in the import/export project feature, which was added in GitLab version 8.9. The flaw allows an authenticated user to exploit symbolic links in tar archives, leading to arbitrary file disclosure on the server.

Key Details

Technical Details

The import/export project feature lets users export and import projects as tar archive files. However, this feature did not properly validate symbolic links within user-provided tar archives. Consequently, a malicious user could craft a tar file containing symbolic links that point to sensitive files on the server.

When such a tar file is imported, GitLab would follow the symbolic links and read the contents of the target files, exposing them to the attacker. This could include critical files like /etc/passwd or files containing secret tokens and keys.

Exploit Scenario

  1. User Registration: An attacker registers an account or uses an existing one on the vulnerable GitLab instance.

  2. Craft Malicious Tar File: The attacker creates a tar file with symbolic links pointing to sensitive files.

  3. Upload Tar File: The attacker uses the import project feature to upload the crafted tar file.

  4. File Disclosure: GitLab processes the tar file and follows the symbolic links, thereby exposing the contents of the linked files to the attacker.

Impact

The impact of this vulnerability is severe as it allows authenticated users to read any file accessible by the GitLab service account. This can lead to the exposure of sensitive information, potentially compromising the entire GitLab instance and any data it handles.

Conclusion

CVE-2016-9086 is a critical security vulnerability in GitLab versions 8.9 to 8.13.0, introduced by the improper handling of symbolic links in the import/export project feature. This flaw allows authenticated users to disclose arbitrary files on the server by exploiting symbolic links in crafted tar archives. The vulnerability can lead to the exposure of sensitive information, compromising the security of the GitLab instance and the data it manages.